varnish-cache/vmod/vmod_proxy.c
0
/*-
1
 * Copyright (c) 2018 GANDI SAS
2
 * All rights reserved.
3
 *
4
 * Author: Emmanuel Hocdet <manu@gandi.net>
5
 *
6
 * SPDX-License-Identifier: BSD-2-Clause
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 * 1. Redistributions of source code must retain the above copyright
12
 *    notice, this list of conditions and the following disclaimer.
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20
 * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
21
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27
 * SUCH DAMAGE.
28
 */
29
30
#include "config.h"
31
32
#include <ctype.h>
33
#include <stdlib.h>
34
#include <string.h>
35
36
#include "cache/cache.h"
37
38
#include "vend.h"
39
40
#include "proxy/cache_proxy.h"
41
42
#include "vcc_proxy_if.h"
43
44
45
struct pp2_tlv_ssl {
46
        uint8_t  client;
47
        uint32_t verify;
48
}__attribute__((packed));
49
50
#define PP2_CLIENT_SSL           0x01
51
#define PP2_CLIENT_CERT_CONN     0x02
52
#define PP2_CLIENT_CERT_SESS     0x04
53
54
static VCL_BOOL
55 120
tlv_ssl_flag(VRT_CTX, int flag)
56
{
57
        const struct pp2_tlv_ssl *dst;
58
        int len;
59 120
        CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
60
61 120
        if (VPX_tlv(ctx->req, PP2_TYPE_SSL, (const void **)&dst, &len))
62 0
                return (0);
63
64 120
        return ((dst->client & flag) == flag);
65 120
}
66
67
VCL_BOOL v_matchproto_(td_proxy_is_ssl)
68 40
vmod_is_ssl(VRT_CTX)
69
{
70 40
        return (tlv_ssl_flag(ctx, PP2_CLIENT_SSL));
71
}
72
73
VCL_BOOL v_matchproto_(td_proxy_client_has_cert_sess)
74 40
vmod_client_has_cert_sess(VRT_CTX)
75
{
76 40
        return (tlv_ssl_flag(ctx, PP2_CLIENT_CERT_SESS));
77
}
78
79
VCL_BOOL v_matchproto_(td_proxy_client_has_cert_conn)
80 40
vmod_client_has_cert_conn(VRT_CTX)
81
{
82 40
        return (tlv_ssl_flag(ctx, PP2_CLIENT_CERT_CONN));
83
}
84
85
/* return come from SSL_get_verify_result */
86
VCL_INT v_matchproto_(td_proxy_ssl_verify_result)
87 40
vmod_ssl_verify_result(VRT_CTX)
88
{
89
        const struct pp2_tlv_ssl *dst;
90
        int len;
91 40
        CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
92
93 40
        if (VPX_tlv(ctx->req, PP2_TYPE_SSL, (const void **)&dst, &len))
94 0
                return (0); /* X509_V_OK */
95
96 40
        return (vbe32dec(&dst->verify));
97 40
}
98
99
static VCL_STRING
100 280
tlv_string(VRT_CTX, int tlv)
101
{
102
        const char *ptr;
103
        char *d;
104
        int len;
105
106 280
        CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
107
108 280
        if (VPX_tlv(ctx->req, tlv, (const void **)&ptr, &len))
109 40
                return (NULL);
110 240
        d = WS_Alloc(ctx->ws, len+1);
111 240
        if (d == NULL) {
112 0
                VRT_fail(ctx, "proxy.TLV: out of workspace");
113 0
                return (NULL);
114
        }
115 240
        AN(ptr);
116 240
        memcpy(d, ptr, len);
117 240
        d[len] = '\0';
118 240
        return (d);
119 280
}
120
121
VCL_STRING v_matchproto_(td_proxy_alpn)
122 40
vmod_alpn(VRT_CTX)
123
{
124 40
        return (tlv_string(ctx, PP2_TYPE_ALPN));
125
}
126
127
VCL_STRING v_matchproto_(td_proxy_authority)
128 40
vmod_authority(VRT_CTX)
129
{
130 40
        return (tlv_string(ctx, PP2_TYPE_AUTHORITY));
131
}
132
133
VCL_STRING v_matchproto_(td_proxy_ssl_version)
134 40
vmod_ssl_version(VRT_CTX)
135
{
136 40
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_VERSION));
137
}
138
139
VCL_STRING v_matchproto_(td_proxy_ssl_cipher)
140 40
vmod_ssl_cipher(VRT_CTX)
141
{
142 40
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_CIPHER));
143
}
144
145
VCL_STRING v_matchproto_(td_proxy_cert_sign)
146 40
vmod_cert_sign(VRT_CTX)
147
{
148 40
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_SIG_ALG));
149
}
150
151
VCL_STRING v_matchproto_(td_proxy_cert_key)
152 40
vmod_cert_key(VRT_CTX)
153
{
154 40
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_KEY_ALG));
155
}
156
157
VCL_STRING v_matchproto_(td_proxy_client_cert_cn)
158 40
vmod_client_cert_cn(VRT_CTX)
159
{
160 40
        return (tlv_string(ctx, PP2_SUBTYPE_SSL_CN));
161
}